Google's DoubleClick and Microsoft's MSN were found to be offering up malicious ads. (Source: Armorize)

Whoops, sorry guys... those ads were actually malware

Google's advertising subsidiary DoubleClick and Microsoft’s MSN ads
service both have admitted to falling for a clever scheme by some nasty black
hat hackers. Malicious banner ads for both services were
found to be trying to perform drive-by download exploitation and install
malware on users' machines.

As with many great (or terrible) episodes of computer crime, a key
component was clever social engineering. Hackers created a site called
ADShufffle.com -- one letter away from ADShuffle.com, a major online
advertising technology firm. Apparently that was enough to get the ads
through screeners at Microsoft and Google.

Security firm Armorize appears to be the first to have noticed the
attack. Wayne Huang chief technology officer of Armorize details the
unusual incident in a blog, writing:

Users visit websites that incorporate banner ads from DoubleClick or
rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the
three f's), starts a drive-by download process and if successful, HDD Plus and
other malware are installed into the victim's machine, without having the need
to trick the victim into doing anything or clicking on anything. Simply
visiting the page infects the visitors.

Known sites affected: Sites that incorporate DoubleClick or
rad.msn.com banners, including for example Scout.com (using DoubleClick),
realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to
note here it's very possible that multiple exchanges, besides those listed
here, have been serving the fake ADShufffle's ads.

For all its ingenuity, the attackers used pretty standard exploitation
packages, including Neosploit and the Eleonore exploit kit. Both kits are
popular among black hat hackers, but also among security experts who purchase
them to battle-test the security of corporate systems.

The latest attack used Javascript exploits to begin a download
procedure, which was triggered when users visited a page that was serving the
compromised banner ads. The ad service would then request the code for
the ad from the hackers' servers, initiating the attack.

A Google spokesperson assured that the ads were only up for a very
brief time and have since been terminated. The company is now
investigating the incident. Microsoft did not release a statement, but
likely is taking similar measures.

The
incident is not Google's first brush with malware advertising. Previously
malicious hackers were found to be leveraging Google's AdWords service. In
that case, as well, the key to the criminals' success was using
legitimate-looking links.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller